themaster1970sf/TShock
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

fix(db/postgres): Resolve SQL identifier casing issues

Browse source 
Improves SQL query execution by ensuring proper casing for identifiers across various database types, particularly for Postgres.

Enhances security and compatibility by using an identifier escaping method, preventing potential errors due to case sensitivity in SQL queries.

Addresses potential issues with existing queries for better reliability and consistency.
This commit is contained in:
Sakura Akeno Isayeki 2025-04-29 00:47:19 +02:00
parent 69b98980f1
commit 2d839e3609
No known key found for this signature in database
GPG key ID: BAB781B71FD2E7E6
9 changed files with 81 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

27
TShockAPI/DB/BanManager.cs
View file

@ -78,7 +78,7 @@ namespace TShockAPI.DB
}
catch (DllNotFoundException)
{
System.Console.WriteLine(GetString("Possible problem with your database - is Sqlite3.dll present?"));
Console.WriteLine(GetString("Possible problem with your database - is Sqlite3.dll present?"));
throw new Exception(GetString("Could not find a database library (probably Sqlite3.dll)"));
}
@ -355,7 +355,9 @@ namespace TShockAPI.DB
return Bans[id];
}
using var reader = database.QueryReader("SELECT * FROM PlayerBans WHERE TicketNumber=@0", id);
string query = $"SELECT * FROM PlayerBans WHERE {"TicketNumber".EscapeSqlId(database)}=@0";
using var reader = database.QueryReader(query, id);
if (reader.Read())
{
@ -380,10 +382,11 @@ namespace TShockAPI.DB
/// <returns></returns>
public IEnumerable<Ban> RetrieveBansByIdentifier(string identifier, bool currentOnly = true)
{
string query = "SELECT * FROM PlayerBans WHERE Identifier=@0";
string query = $"SELECT * FROM PlayerBans WHERE {"Identifier".EscapeSqlId(database)}=@0";
if (currentOnly)
{
query += $" AND Expiration > {DateTime.UtcNow.Ticks}";
query += $" AND {"Expiration".EscapeSqlId(database)} > {DateTime.UtcNow.Ticks}";
}
using var reader = database.QueryReader(query, identifier);
@ -412,11 +415,11 @@ namespace TShockAPI.DB
//Generate a sequence of '@0, @1, @2, ... etc'
var parameters = string.Join(", ", Enumerable.Range(0, identifiers.Length).Select(p => $"@{p}"));
string query = $"SELECT * FROM PlayerBans WHERE Identifier IN ({parameters})";
string query = $"SELECT * FROM PlayerBans WHERE {"Identifier".EscapeSqlId(database)} IN ({parameters})";
if (currentOnly)
{
query += $" AND Expiration > {DateTime.UtcNow.Ticks}";
query += $" AND {"Expiration".EscapeSqlId(database)} > {DateTime.UtcNow.Ticks}";
}
using var reader = database.QueryReader(query, identifiers);
@ -449,7 +452,7 @@ namespace TShockAPI.DB
List<Ban> banlist = new List<Ban>();
try
{
using var reader = database.QueryReader($"SELECT * FROM PlayerBans ORDER BY {SortToOrderByMap[sortMethod]}");
using var reader = database.QueryReader($"SELECT * FROM PlayerBans ORDER BY {SortToOrderByMap(sortMethod)}");
while (reader.Read())
{
@ -490,12 +493,12 @@ namespace TShockAPI.DB
return false;
}
private readonly Dictionary<BanSortMethod, string> SortToOrderByMap = new()
private string SortToOrderByMap(BanSortMethod sortMethod) => sortMethod switch
{
{ BanSortMethod.AddedNewestToOldest, "Date DESC" },
{ BanSortMethod.AddedOldestToNewest, "Date ASC" },
{ BanSortMethod.ExpirationSoonestToLatest, "Expiration ASC" },
{ BanSortMethod.ExpirationLatestToSoonest, "Expiration DESC" }
BanSortMethod.AddedNewestToOldest => $"{"Date".EscapeSqlId(database)} DESC",
BanSortMethod.AddedOldestToNewest => $"{"Date".EscapeSqlId(database)} ASC",
BanSortMethod.ExpirationSoonestToLatest => $"{"Expiration".EscapeSqlId(database)} ASC",
BanSortMethod.ExpirationLatestToSoonest => $"{"Expiration".EscapeSqlId(database)} DESC"
};
}